File System Encryption

In this article we are going to look at how to encrypt a partition during the installation of SUSE Linux Enterprise and after the installation, we will also look at creating encrypted disk containers. The reason for disk encryption is to protect against malicious users from viewing/stealing your private data.

Encrypting Partitions during Installation

The first method we are going to look at is encrypting a partition during the installation process, this is probably the easiest method of encrypting a partition. Once the installation of SUSE Linux Enterprise has begun you will come to the “Installation Settings” screen, you should click on the blue text saying “Partitioning“. Once you have click on the “Partitioning” link you will be presented with a new screen “Partitioning Suggestions” as shown in Figure 1.

The option you should select from Figure 1 is “Create Custom Partition Setup“, once you have selected this option you should click on the next button which will bring you to a new screen “Preparing Hard Disk: Step 1“. The option you should choose from this screen is “Custom Partitioning (for experts)“.

Now that you are in the partitioning screen you should click on the create button to create a new partition. When you have clicked on the “Create” button you will be prompt with a new window asking if you would like to format the partition, how big the partition should be and where you would like to mount this partition. Figure 1.1 shows a screenshot of this window.

As you can see in Figure 1.1 the “Encrypt file system” option has been selected, this option will encrypt the file system making it hard for malicious users to view/steal your private data. Once you have finished and clicked on the “OK” you will be prompt for a password as shown in Figure 1.2. The password you enter will be used to decrypt the partition.

Encrypting Partitions

In this section of the article we are going to look at encrypting a partition manually, the partition that we will be working with is “/dev/sda3″. The first step we need to do is get a list of all the encryption modules that are available, this can be done using the “modinfo” command as shown in Figure 2.

linux-yqu3:~ # modinfo /lib/modules/$( uname -r )/kernel/crypto/*

Figure 2: Viewing the available encryption modules.

The command from Figure 2 will create output similar to the output shown in Figure 2.1, this can be tided up by using the “grep” utility as shown in Figure 2.2.

Once you know what modules are available you can begin setting up the encrypted partition, the second step you will need to do is load the cryptoloop using the “modprobe” command shown in Figure 2.3.

linux-yqu3:~ # modprobe cryptoloop

Figure 2.3: Loading the cryptoloop.

Once you have the cryptoloop loaded you will need to load a encryption module which we got with the “modinfo” command. In this article we will load the “Rijndael” module as shown in Figure 2.4.

linux-yqu3:~ # modprobe aes

Figure 2.4: Loading the Rijndael encryption module

If you are wondering where the “aes” value came from and why the word “Rijndael” was not used, simply look at Figure 2.1 and you will notice that there is a field called: “filename” this is the file that needs to be loaded.

Once you have loaded the encryption module you can begin with the partition preparation as mention earlier. The third step is to fill the partition with random junk, this can be done using the “shred” command as shown in Figure 2.5.

The reason for filling the partition with random junk first is to stop pattern matching attacks.

Once you have filled the partition with junk you can mount the partition to a loop device as shown in Figure 2.6.

linux-yqu3:~ # losetup -e aes /dev/loop0 /dev/sda3
Password:

Figure 2.6: Mounting /dev/sda3 partition to a loop device.

As you can see in Figure 2.6 you are prompt for a password, this password will be used in the future to decrypt the encrypted partition so do not forget this password otherwise you will loose your important data.

Once you have successfully mounted the /dev/sda3 partition you can install a file system onto that partition as shown in Figure 2.7.

linux-yqu3:~ # mkfs.reiserfs /dev/loop0
mkfs.reiserfs 3.6.19 (2003 www.namesys.com)
A pair of credits:
Many persons came to www.namesys.com/support.html, and got a question answered
for $25, or just gave us a small donation there.
Alexander Lyamin keeps our hardware running, and was very generous to our
project in many little ways.
Guessing about desired format.. Kernel 2.6.16.46-0.12-bigsmp is running.
Format 3.6 with standard journal
Count of blocks on the device: 526128
Number of blocks consumed by mkreiserfs formatting process: 8228
Blocksize: 4096
Hash function used to sort names: "r5"
Journal Size 8193 blocks (first block 18)
Journal Max transaction length 1024
inode generation number: 0
UUID: ed74b631-2fbb-4bed-8b58-64827000ca05
ATTENTION: YOU SHOULD REBOOT AFTER FDISK!
ALL DATA WILL BE LOST ON '/dev/loop0'!
Continue (y/n):y
Initializing journal - 0%....20%....40%....60%....80%....100%
Syncing..ok
ReiserFS is successfully created on /dev/loop0.

Figure 2.7: Installing a file system onto the /dev/sda3 partition.

Once you have formatted the partition you can now mount the partition for use as shown in Figure 2.8.

linux-yqu3:~ # mount -t reiserfs /dev/loop0 /media/private/

Figure 2.8: Mounting the encrypted partition.

Once you have successfully mounted the encrypted partition you can use it as you normally would use a partition, to unmount the encrypted partition you will need to use two commands “umount” and “losetup” as shown in Figure 2.9.

Now that you have successfully unmounted the encrypted partition and maybe rebooted your machine you can mount the encrypted partition again using the similar command shown previously except for formatting the partition as shown in Figure 3.

As you can see the partition did not need to be formatted or filled with junk again, you also might want to put the commands in a bash script to mount the partition even faster.

Encryption Containers

In this section of the article we are going to look at encrypted disk containers, the difference between a encrypted disk container and an encrypted partition is the an encrypted container is a file and not a partition. Setting up encrypted disk containers is very similar to setting up encrypted partitions.

The first step to setting up an encrypted disk container is to see what modules are available, this is identical to what we did previously as shown in Figure 2. The next step is to load the cryptoloop module and the aes module as shown in Figures2.3 and 2.4, once you have loaded the modules you will need to use the “dd” command to create a disk container as shown in Figure 4.

linux-yqu3:~ # dd if=/dev/zero of=/root/private bs=1024M count=1

Figure 4: Creating disk container.

Once you have created the disk container I would strongly recommend you shred the file using the “shred” command to prevent pattern matching attacks. The reason I didn’t use the “/dev/urandom” device is because I find the “shred” command to be much faster.

Mounting the encrypted disk container is identical to Figure 3, you will however, need to replace /dev/sda3 with /root/private and /dev/loop0 with a free loop device.

Final Thoughts

In this article we looked at setting up encryption during the installation process which shown to be the simplest method of setting up encryption, we also looked at manually encrypting partitions along with encrypted disk containers. I hope that you choose implement one of the methods above to protect you private data against malicious users otherwise you may face the possibility of someone stealing your private data.

(0 votes, average: 0.00 out of 5)You need to be a registered member to rate this post.

Disclaimer: As with everything else at SUSE Conversations, this content is definitely not supported by SUSE (so don't even think of calling Support if you try something and it blows up). It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.